Order-Revealing Encryption:

Size: px

Start display at page:

Download "Order-Revealing Encryption:"

Phyllis Hampton
5 years ago
Views:

1 Order-Revealing Encryption: How to Search on Encrypted Data Kevin Lewi and David J. Wu Stanford University

2 Searching on Encrypted Data

3 Searching on Encrypted Data

4 Searching on Encrypted Data

5 Searching on Encrypted Data

6 Searching on Encrypted Data

7 Searching on Encrypted Data

8 Searching on Encrypted Data data breaches have become the norm rather than the exception

9 Why Not Encrypt? because it would have hurt Yahoo s ability to index and search messages to provide new user services ~Jeff Bonforte (Yahoo SVP)

10 client server Order-Revealing Encryption [BLRSZZ 15] secret-key encryption scheme Which is greater: the value encrypted by ct 1 or the value encrypted by ct 2? sk ct 1 = Enc(sk, 123) ct 2 = Enc(sk, 512) ct 3 = Enc(sk, 273) (legacy-friendly) range queries on encrypted data

11 Order-Revealing Encryption [BLRSZZ 15] given any two ciphertexts ct 1 = Enc(sk, x) ct 2 = Enc(sk, y) there is a public function for performing comparisons x > y OPE [BCLO 09]: comparison function is numeric comparison on ciphertexts

12 Space Efficiency The Landscape of ORE OPE [BCLO 09] Practical ORE [CLWW 16] This work schemes with precise leakage profile [CLWW 16] Concurrent work [CLOZ 16, JP 16] constructions based on mmaps [BLRSZZ 15] or obfuscation [GGGJKLSSZ 14] not drawn to scale Security

13 Inference Attacks [NKW 15, DDC 16, GSBNR 16] ID Name Age Diagnosis wpjoos 2wzXW8 SqX9l9 KqLUXE XdXdg8 y9gfps gwile3 MJ23b7 P6vKhW EgN0Jn S0pRJe ataejk orjre6 KQWy9U tpwf3m 4FBEO0 encrypted database + public information frequency and statistical analysis ID Name Age Diagnosis??? Alice ??? Bob ??? Charlie ?????? plaintext recovery

g., passive snapshots) adversary only sees contents

14 Online vs. Offline Security adversary sees encrypted database + queries and can interact with the database online attacks (e.g., active corruption) offline attacks (e.g., passive snapshots) adversary only sees contents of encrypted database typical database breach: contents of database are stolen and dumped onto the web

15 Inference Attacks [NKW 15, DDC 16, GSBNR 16] PPE schemes always reveal certain properties (e.g., equality, order) on ciphertexts and thus, are vulnerable to offline inference attacks Can we fully defend against offline inference attacks while remaining legacy-friendly?

16 This Work Can we fully defend against offline inference attacks while remaining legacy-friendly? Trivial solution: encrypt the entire database, and have client provide decryption key at query time Desiderata: an ORE scheme that enables: perfect offline security limited leakage in the online setting But no online security!

17 ORE with Additional Structure Focus of this work: performing range queries on encrypted data Key primitive: order-revealing encryption scheme where ciphertexts have a decomposable structure Enc 101 Enc L 101 Enc R 100 ct L ct R ct L ct R ciphertexts naturally split into two components greater than

18 ORE with Additional Structure Enc L 101 Enc R 100 ct L ct R right ciphertexts provide semantic security! comparison can be performed between left ciphertext and right ciphertext robustness against offline inference attacks!

19 Encrypted Range Queries store right ciphertexts in sorted order ID Name Age Diagnosis 0 Alice Bob Charlie Inigo 45 4 Age Enc R (31) Enc R (41) Enc R (45) Enc R (47) build encrypted index ID Enc(0) Enc(2) Enc(3) Enc(1) record IDs encrypted under independent key Name ID Enc R (Alice) Enc(0) Age ID Enc R (Bob) Enc(1) Enc Enc R (Charlie) R (31) Enc(0) Diagnosis Enc(2) ID Enc Enc R (Inigo) R (41) Enc(2) Enc Enc(3) Enc R (45) R (2) Enc(2) Enc(3) Enc Enc R (47) R (2) Enc(0) Enc(1) Enc R (3) Enc(1) Enc R (4) Enc(3) separate index for each searchable column, and using independent ORE keys

20 Encrypted Range Queries Encrypted database: ID Name Age Diagnosis 0 Alice Bob Charlie Inigo 45 4 columns (other than ID) are encrypted using a semanticallysecure encryption scheme clients hold (secret) keys needed to decrypt and query database Name ID Enc R (Alice) Enc(0) Age ID Enc R (Bob) Enc(1) Enc Enc R (Charlie) R (31) Enc(0) Diagnosis Enc(2) ID Enc Enc R (Inigo) R (41) Enc(2) Enc Enc(3) Enc R (45) R (2) Enc(2) Enc(3) Enc Enc R (47) R (2) Enc(0) Enc(1) Enc R (3) Enc(1) Enc R (4) Enc(3) encrypted search indices

21 Encrypted Range Queries Query for all records where 40 age 45: Enc L (40) Enc L (45)

22 Encrypted Range Queries Query for all records where 40 age 45: Enc L (40) Enc L (45) Age Enc R (31) Enc R (41) Enc R (45) Enc R (47) ID Enc(0) Enc(2) Enc(3) Enc(1)

23 Encrypted Range Queries Query for all records where 40 age 45: Enc L (40) Enc L (45) Age Enc R (31) Enc R (41) Enc R (45) Enc R (47) ID Enc(0) Enc(2) Enc(3) Enc(1) use binary search to determine endpoints (comparison via ORE)

24 Encrypted Range Queries Query for all records where 40 age 45: Enc L (40) Enc L (45) Age Enc R (31) Enc R (41) Enc R (45) Enc R (47) ID Enc(0) Enc(2) Enc(3) Enc(1) use binary search to determine endpoints (comparison via ORE)

25 Encrypted Range Queries Query for all records where 40 age 45: Age ID Enc L (40) Enc L (45) Enc R (31) Enc R (41) Enc R (45) Enc R (47) Enc(0) Enc(2) Enc(3) Enc(1) return encrypted indices that match query use binary search to determine endpoints (comparison via ORE)

26 Encrypted Range Queries Query for all records where 40 age 45: Enc(2) Enc(3) client decrypts indices to obtain set of matching records

27 Encrypted Range Queries Query for all records where 40 age 45: Enc(2) Enc(3) Records 2, 3 Enc(r 2 ) Enc(r 3 )

28 Encrypted Range Queries Query for all records where 40 age 45: Enc(2) Enc(3) Records 2, 3 Enc(r 2 ) Enc(r 3 ) client decrypts to obtain records

29 Encrypted Range Queries Query for all records where 40 age 45: Enc(2) Enc(3) Records 2, 3 Enc(r 2 ) Enc(r 3 ) some online leakage: access pattern + ORE leakage

30 Encrypted Range Queries Encrypted database: ID Name Age Diagnosis 0 Alice Bob Charlie Inigo 45 4 encrypted database is semantically secure! Perfect offline security Name ID Enc R (Alice) Enc(0) Age ID Enc R (Bob) Enc(1) Enc Enc R (Charlie) R (31) Enc(0) Diagnosis Enc(2) ID Enc Enc R (Inigo) R (41) Enc(2) Enc Enc(3) Enc R (45) R (2) Enc(2) Enc(3) Enc Enc R (47) R (2) Enc(0) Enc(1) Enc R (3) Enc(1) Enc R (4) Enc(3) encrypted search indices

31 Space Efficiency The Landscape of ORE OPE [BCLO 09] Practical ORE [CLWW 16] broken by inference attacks [NKW 15, DDC 16, GSBNR 16] This work can provide perfect offline security Concurrent work [CLOZ 16, JP 16] constructions based on mmaps [BLRSZZ 15] or obfuscation [GGGJKLSSZ 14] Not drawn to scale Security

32 Our New ORE Scheme small-domain ORE with best-possible security domain extension technique inspired by CLWW 16 large-domain ORE with some leakage

33 Small-Domain ORE with Best-Possible Security Suppose plaintext space is small: 1,2,, N 1 k 1 associate a key with each value 2 3 k 2 k 3 k 1,, k N is the secret key (can be derived from a PRF) N k N

34 Small-Domain ORE with Best-Possible Security Encrypting a value i Position i Invariant: all positions i have value 1 while all positions > i have value 0

35 Small-Domain ORE with Best-Possible Security Encrypting a value i k 1 k 2 k i k i+1 k N encrypt each slot with key for that slot To allow comparisons, also give out key for slot i k i k 1 k 2 k i k i+1 k N

36 Small-Domain ORE with Best-Possible Security Given two ciphertexts k i k 1 k i k i+1 k j k N 0 Decrypt to learn ordering k j k 1 k i k j k j+1 k N 0

37 Small-Domain ORE with Best-Possible Security Given two ciphertexts k i k 1 k i k i+1 k j k N But this reveals i 0 k j k 1 k i k j k j+1 k N 0

38 Small-Domain ORE with Best-Possible Security Solution: apply random permutation π (part of the secret key) to the slots k i k 1 k 2 k i k i+1 k N

Small-Domain ORE with Best-Possible Security Solution: apply random permutation π (part of the secret key) to the slots k π(i) 1 1 1 0 0 k π(1)

39 Small-Domain ORE with Best-Possible Security Solution: apply random permutation π (part of the secret key) to the slots k π(i) k π(1) k π 2 k π(i) k π i+1 k π(n) includes index π(i) semantically secure (right ciphertext) Achieves best-possible security, but ciphertexts are big

40 Domain Extension for ORE Key idea: decompose message into smaller blocks and apply small-domain ORE to each block split into two 4-bit chunks b 1 b 2 b 3 b 4 b 5 b 6 b 7 b 8 k π(i) k π(1) k π 2 k π(i) k π i+1 k π(n) k π i k π k π 2 k π j k π j+1 k π N encrypt each chunk using an ORE instance with a secret key derived from the prefix

41 Domain Extension for ORE Key idea: decompose message into smaller blocks and apply small-domain ORE to each block split into two 4-bit chunks b 1 b 2 b 3 b 4 Keys b 5 derived b 6 bfrom 7 b 8 Keys derived from empty prefix k π(i) k π(1) k π 2 k π(i) k π i+1 k π(n) prefix b 1 b 2 b 3 b 4 k π i k π k π 2 k π j k π j+1 k π N encrypt each chunk using an ORE instance with a secret key derived from the prefix

42 Domain Extension for ORE b 1 b 2 b 3 b 4 b 5 b 6 b 7 b 8 k π(i) k π(1) k π 2 k π(i) k π i+1 k π(n) k π i k π k π 2 k π j k π j+1 k π N comparison proceeds block-by-block k π(i) k π(1) k π 2 k π(i) k π i+1 k π(n) k π i k π k π 2 k π j k π j+1 k π N Overall leakage: first block that differs

43 Domain Extension for ORE Same decomposition into left and right ciphertexts: k π(i) k π(1) k π 2 k π(i) k π i+1 k π(n) k π i k π k π 2 k π j k π j+1 k π N left ciphertext right ciphertext Right ciphertexts provide semantic security! Note: optimizations are possible if we apply this technique in a non-black-box way to the smalldomain ORE. See paper for details.

44 Space Efficiency The Landscape of ORE OPE [BCLO 09] Leakage: position of first differing bit Leakage: position of first differing block Practical ORE [CLWW 16] This work Concurrent work [CLOZ 16, JP 16] constructions based on mmaps [BLRSZZ 15] or obfuscation [GGGJKLSSZ 14] not drawn to scale Security

45 Performance Evaluation Scheme Encrypt (μs) Compare (μs) ct (bytes) OPE [BCLO 09] Practical ORE [CLWW 16] This work (4-bit blocks) This work (8-bit blocks) This work (12-bit blocks) Benchmarks taken for C implementation of different schemes (with AES-NI). Measurements for encrypting 32-bit integers.

46 Performance Evaluation Scheme Encrypt (μs) Compare (μs) ct (bytes) OPE [BCLO 09] Practical ORE [CLWW 16] This work (4-bit blocks) This work (8-bit blocks) This work (12-bit blocks) Encrypting byte-size blocks is 65x faster than OPE, but ciphertexts are 30x longer. Security is substantially better.

47 Conclusions Inference attacks render most conventional PPE-based constructions insecure However, ORE is still a useful building block for encrypted databases Introduced new paradigm for constructing ORE that enables range queries in a way that is mostly legacy-compatible and provides offline semantic security New ORE construction that is concretely efficient with strong security In paper: new impossibility results for security achievable using OPE

48 Open Problems What kind of inference attacks on possible in the online setting? Indices encrypted separately, so multi-column correlations harder to infer More limited leakage profile (between left and right ciphertexts) Can we construct small-domain OREs (with best-possible security) and sublinear (in the size of the domain) ciphertext size from PRFs? Can we construct left/right ORE (from PRFs) where both left and right ciphertexts are semantically secure?

49 Questions? Paper: Website: Code:

Order-Revealing Encryption:

Order-Revealing Encryption: New Constructions, Applications and Lower Bounds Kevin Lewi and David J. Wu Stanford University Searching on Encrypted Data Searching on Encrypted Data Searching on Encrypted